The present invention relates to cryptographic functions and more particularly relates to how cryptographic functions are provided to applications.
Increasingly, computer applications utilize secure communications when communicating with other applications, for example, over an intranet or the Internet. One example of such a secure communication methodology is the Secure Socket Layer (SSL) provided by the Transport Control Protocol/Internet Protocol (TCP/IP). SSL provides for differing levels of encryption. For example, applications using the SSL to communicate may use 56 bit or 128 bit encryption.
Generally, applications utilize a common library which provides the encryption functions used by the application. Thus, for example, a library may provide 56 bit SSL encryption. Typically, this library is utilized by all applications on a processing system for encryption. If a user desires to change the level of encryption then, typically, the user would replace the 56 bit SSL encryption library with a different library, For example, a user may utilize the S-Channel library provided by Microsoft Corporation, Redmond, Wash. to provide increased encryption levels by replacing the existing encryption library with the S-Channel library. After such a replacement, typically, all applications utilizing the SSL for communications would utilize this new library. Thus, the cryptographic level of applications for the processing system will be the highest level of any application on the processing system.
One problem with such a global replacement mechanism relates to United States Government regulations on the export of cryptographic technology. Such regulations control the level of cryptography which may be exported outside the United States or Canada depending on the type of application utilizing the technology. Thus, the conventional technique of utilizing a single library to provide cryptographic functions may be unsuitable for applications which may be exported outside the United States as not all applications will be allowed to utilize the same level as other applications.
One potential method for allowing variations in the cryptographic level for different applications would be to build the cryptographic functions into each application. However, such a system may be costly and require different versions of applications which may result in, for example, increased burdens in service and support. Furthermore, development of applications may become more expensive as each application would need to develop its own cryptographic functions.
Accordingly, a need exists for improvements in how cryptographic functions are provided for applications.
Embodiments of the present invention include methods, systems and computer program products which provide cryptographic services to an application by incorporating in the application an indication of at least one authorized cryptographic function for the application. The indication of at least one authorized cryptographic function for the application is communicated to a cryptographic library capable of supporting a plurality of cryptographic functions. That at least one authorized cryptographic function corresponding to the indication of at least one authorized cryptographic function is then identified as a valid cryptographic function for the application.
In particular embodiments of the present invention, communication of the indication of at least one authorized cryptographic function is accomplished by identifying a location associated with the indication of the at least one authorized cryptographic function to the cryptographic library capable of supporting a plurality of cryptographic functions. The application is called from the library at the identified location utilizing a predefined query format to request notification of cryptographic functions for which the application is authorized. The indication of the at least one authorized cryptographic function is provided from the application to the library utilizing a predefined format in response to the query.
In still further embodiments of the present invention, it is determined if the call from the library to the application is in a format other than the predefined query format. The call is rejected if the call is in a format other than the predefined query format.
In yet other embodiments of the present invention, the call of the application from the library is carried out in a manner which obscures the contents of the call. In particular embodiments, the contents of the call are obscured by calling the application from the library utilizing a void pointer data type for parameters passed to the application. Furthermore, the indication of at least one authorized cryptographic function may also be carried out utilizing a void pointer data type for parameters passed to the library. In further embodiments of the present invention, the application and the library utilize the same predefined data format for sending and receiving parameters defined as a void pointer data type.
In other embodiments of the present invention, the indication of at least one authorized cryptographic function is provided by statically defining the indication in the application when the application is compiled.
In yet other embodiments of the present invention, a process is associated with the application. In such a case, the at least one authorized cryptographic function is identified as a valid cryptographic function for the cryptographic functions requested by all services within a scope associated with the process. In particular embodiments, a location associated with the indication of at least one authorized cryptographic function is identified to the cryptographic library by setting a pointer in a globally accessible memory location associated with the process to point to the location.
In additional embodiments of the present invention, methods, systems and computer program products are provided which may provide a plurality of cryptographic functions utilizing a common library by receiving at the common library a request from an application for a cryptographic function. A predefined global variable is inspected to determine a location to query the application to ascertain authorized cryptographic functions for the application. The determined location is queried utilizing a predefined query format and an identification of authorized cryptographic functions for the application is received. The identification is provided in a predefined identification format.
In additional embodiments of the present invention the query of the determined location is performed in a manner which obscures the predefined query format. For example, the query of the determined location may be performed utilizing pass parameters which have a void pointer data type. Furthermore, the receipt of the identification may also be performed in a manner which obscures the predefined identification format. For example, the receipt of the identification may be performed utilizing pass parameters which have a void pointer data type.
In still further embodiments of the present invention, the identified authorized cryptographic functions are utilized for all services requesting a cryptographic function which are within a scope of a process associated with the application.
In yet other embodiments of the present invention, methods, systems and computer program products are provided which may provide a plurality of cryptographic functions utilizing a common library by statically defining authorized cryptographic functions for an application. A location, associated with the application, for receiving queries for identification of the authorized cryptographic functions for the application is also defined. The location associated with the application is registered with the common library. A query is received at the registered location. The query is in a predefined query format. An identification of the authorized cryptographic functions for the application is provided in response to the query, where the identification is provided in a predefined identification format.
In particular embodiments, the query is received at the registered location in a manner which obscures the predefined query format. For example, the query may be received utilizing pass parameters which have a void pointer data type. Furthermore, the identification may be provided in a manner which obscures the predefined identification format. For example, the identification may be provided utilizing pass parameters which have a void pointer data type.
In further embodiments of the present invention, the identified authorized cryptographic functions are utilized for all services requesting a cryptographic function which are within a scope of a process associated with the application.
While the invention has been described above primarily with respect to the method aspects of the invention, both systems and/or computer program products are also provided.